[myinitialsaretk]

I hear you, I've been in the same situation.

I write very clear instructions in a Google Doc and share with multiple key people at a client that sum up a high level of: Here's where all of your stuff is. Here's what the next technical person would need to find and get access to everything.

Then a USB key with all of their keyfiles. And a Keepass file with all of their passwords. I keep a copy encrypted and saved for myself for the inevitable 2 year later email of 'we lost access to everything.'

I've also put all of this info on a box not publicly accessible to the internet, but in their VPC.

Basically, Dear Future Tech person - ssh in here and you can get all of the instructions and access that you need.

[stepbeek]

> 2 year later email of 'we lost access to everything.'

This is my recurring fear. It's why I like the idea of making it difficult for the client to gain this access because I'm hoping that a misplaced access mechanism doesn't leave the system wide open.

[myinitialsaretk]

An agency I worked with handled this liability via a support contract.

It was structured as, pay us for N hours a month of retainer, we will keep your servers patched and secured with updates and maintain all of your credentials.

Otherwise, we don't want the liability of having access to all of your systems, so we need to expire our access and hand it over to someone on your team.

Sometimes the company had an IT dept that had no idea what to do with the info, but would be in charge of keeping it. Or they would be happy to pay for us to stay on top of things.